The Hacker News — Cyber Security, Hacking, Technology News

Mozilla has released an important update for its Firefox web browser to patch a critical vulnerability that could allow remote attackers to execute malicious code on computers running an affected version of the browser.

The update comes just a week after the company rolled out its new Firefox Quantum browser, a.k.a Firefox 58, with some new features like improved graphics engine and performance optimizations and patches for more than 30 vulnerabilities.

According to a security advisory published by Cisco, Firefox 58.0.1 addresses an 'arbitrary code execution’ flaw that originates due to 'insufficient sanitization' of HTML fragments in chrome-privileged documents (browser UI).

Hackers could exploit this vulnerability (CVE-2018-5124) to run arbitrary code on the victim's computer just by tricking them into accessing a link or 'opening a file that submits malicious input to the affected software.'

"A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely," the advisory states.

This could allow an attacker to install programs, create new accounts with full user rights, and view, change or delete data.

However, if the application has been configured to have fewer user rights on the system, the exploitation of this vulnerability could have less impact on the user.

Affected web browser versions include Firefox 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The vulnerability has been addressed in Firefox 58.0.1, and you can download from the company's official website.

The issue, which was discovered by Mozilla developer Johann Hofmann, does not affect Firefox browser for Android and Firefox 52 ESR.

Users are recommended to apply the software updates before hackers exploit this issue, and avoid opening links provided in emails or messages if they appear from suspicious or unrecognized sources.

Administrators are also advised to use an unprivileged account when browsing the Internet and monitor critical systems.

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim's computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world. The extension has roughly 20 million active users.

Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension.

To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.

Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

"I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them," Ormandy said. "This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well."

Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though "there are no workarounds that address this vulnerability."

Security researchers have discovered a chip flaw that could nullify hacking protections for millions of devices regardless of their operating system or application running on them, and the worse — the flaw can not be entirely fixed with any mere software update.

The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection.

ASLR is a crucial security defense deployed by all modern operating systems from Windows and Linux to macOS, Android, and the BSDs.

In general, ASLR is a memory protection mechanism which randomizes the location where programs run in a device's memory. This, in turn, makes it difficult for attackers to execute malicious payloads in specific spots in memory when exploiting buffer overflows or similar bugs.

In short, for attackers, it's like an attempt to burglarize a house blindfolded.

But now a group of researchers, known as VUSec, from the Vrije University in the Netherlands have developed an attack that can bypass ASLR protection on at least 22 processor micro-architectures from popular vendors like Intel, AMD, ARM, Allwinner, Nvidia, and others.

The attack, dubbed ASLR Cache or AnC, is particularly serious because it uses simple JavaScript code to identify the base addresses in memory where system and application components are executed.

So, merely visiting a malicious site can trigger the attack, which allows attackers to conduct more attacks targeting the same area of the memory to steal sensitive information stored in the PC's memory.

Here's How the attack works:

The attack exploits the way microprocessors and memory interacts with each other.

MMU, which is present in desktop, mobile and server chips and tasks to map where a computer stores programs in its memory, constantly checks a directory called a page table to keep track of those addresses.

Devices usually store the page table in the CPU’s cache which makes the chip speedier and more efficient. But this component also shares some of its cache with untrusted applications, including browsers.

Therefore, a piece of javascript code running on a malicious website can also write to that cache (side channel attack), allowing attackers to discover where software components, like libraries and RAM-mapped files, are located in virtual memory.

With these location data in hands, any attacker can read portions of the computer's memory, which they could then use to launch more complex exploits, escalate access to the complete operating system, and hijack a computer system.

The researchers successfully exploited AnC JavaScript attacks via up-to-date Chrome and Firefox web browsers on 22 different CPU micro-architectures in about 90 seconds, even despite ASLR protections built within those browsers, like broken JavaScript timers.

The VUSec research team have published two research papers [1, 2] detailing the AnC attack, along with two video demonstration showing the attack running in a Firefox browser on a 64-bit Linux machine.

In their attack, the researchers combined their AnC JavaScript with attack code that exploits a now-patched use-after-free vulnerability (CVE-2013-0753) in Firefox. Issues with AnC attacks are tracked through several CVE identifiers, including:

CVE-2017-5925 for Intel processors

CVE-2017-5926 for AMD processors

CVE-2017-5927 for ARM processors

CVE-2017-5928 for a timing issue affecting multiple browsers

VUSec team already notified all the affected chipmakers and software firms, including Intel, AMD, Samsung, Nvidia, Microsoft, Apple, Google, and Mozilla, more than three months ago, but only now went public with their findings.

"The conclusion is that such caching behavior and strong address space randomization are mutually exclusive," the paper concludes. "Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical."

"Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software. We hence recommend ASLR to no longer be trusted as the first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block."

According to the team, the only way you can protect yourself against AnC attacks is to enable plug-ins, such as NoScript for Firefox or ScriptSafe for Chrome, to block untrusted JavaScript code on web pages from running in the browser.

Just like most of you, I too really hate filling out web forms, especially on mobile devices.

To help make this whole process faster, Google Chrome and other major browsers offer "Autofill" feature that automatically fills out web form based on data you have previously entered in similar fields.

However, it turns out that an attacker can use this autofill feature against you and trick you into spilling your private information to hackers or malicious third parties.

Finnish web developer and whitehat hacker Viljami Kuosmanen published a demo on GitHub that shows how an attacker could take advantage of the autofill feature provided by most browsers, plugins, and tools such as Password Managers.

Although, this trick was first discovered by Ricardo Martin Rodriguez, Security Analyst at ElevenPaths, in the year 2013, but it seems Google haven't done anything to address weakness in Autofill feature.

The proof-of-concept demo website consists of a simple online web form with just two fields: Name and Email. But what's not visible are many hidden (out of sight) fields, including the phone number, organization, address, postal code, city, and country.

Giving away all your Personal Information Unknowingly

So, if users with an autofill profile configured in their browsers fill out this simple form and click on submit button, they'll send all the fields unaware of the fact that the six fields that are hidden to them but present on the page also get filled out and sent to unscrupulous phishers.

You can also test your browser and extension autofill feature using Kuosmanen's PoC site.

Kuosmanen can make this attack even worse by adding more personal fields out of user's sight, including the user's address, credit card number, expiration date, and CVV, although auto-filling financial data forms will trigger warnings on Chrome when sites do not offer HTTPS.

Kuosmanen attack works against a variety of major browsers and autofill tools, including Google Chrome, Apple Safari, Opera, and even the popular cloud security vault LastPass.

Mozilla's Firefox users do not need to worry about this particular attack as the browser currently, does not have a multi-box autofill system and forces users to select pre-fill data for each box manually.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!